Account provisioning authentication

ABSTRACT

Embodiments of the present invention are directed to methods, systems, and apparatuses for providing a secure authentication scheme for authenticating users and accounts on behalf of a service provider server computer offering services to a user. Upon determining, by the secure authentication scheme, that the user and/or account identifier associated with the user is authenticate, the service provider server computer may be provided with assurance that the user is authenticate and thereafter provide a service requested by the user.

CROSS-REFERENCES TO RELATED APPLICATIONS

This application claims the benefit of priority U.S. ProvisionalApplication No. 61/800,361, filed Mar. 15, 2013, titled “ACCOUNTPROVISIONING AUTHENTICATION,” which is incorporated by reference in itsentirety for all purposes.

BACKGROUND

The uses and capabilities of mobile communication devices have rapidlyincreased in recent years, such as the ability to make payments. Ineffect, consumers are increasingly conducting transactions using mobilecommunication devices (e.g., smart phones and other portable devices),rather than with physical forms of tender (e.g., banknotes) with setmonetary values.

Mobile wallets can typically be installed on the consumer's mobilecommunication device as a mobile application. Currently, when a consumerwants to have a payment device provisioned onto their mobile wallet, amobile wallet application on the consumer's mobile communication deviceprompts the user to enter the details of the payment device (e.g.,payment device number, expiration data, card verification number). If anunauthorized user gets hold of the consumer's payment device details,the unauthorized user may be able to provision a virtual copy of thepayment device onto their phone and could conduct unauthorizedtransactions.

Embodiments of the present invention address the above problems andother problems.

BRIEF SUMMARY

Embodiments of the present invention relate in general to improvedsystems and methods for authenticating a user attempting to utilizeservices provided by a service provider server computer. For example,the user may have a wallet application stored in a memory of the user'smobile communication device and may want to have a new account orpayment device provisioned on the user's mobile communication device foruse with the wallet application. Embodiments of the present inventionaddress the threat of fraud in such scenarios and improve the securityof the wallet application and the user's account or payment device byproviding secure and enhanced authentication services usingauthentication data for user enrolled in an authentication program.

One embodiment of the invention is directed to a method comprisingreceiving a service provider request message from a service providerserver computer comprising an account identifier. The service providerrequest message being received at an access control server computer viaa directory server. The method further comprises determining, by theaccess control server computer, that the account identifier is enrolledin an authentication program. In response to determining that theaccount identifier is enrolled in the authentication program, anauthentication request message requesting authentication data istransmitted to a mobile communication device used by a user associatedwith the account identifier. The method further comprises receiving anauthentication response message from the mobile communication devicecomprising the requested authentication data. When the access controlserver computer determines that the requested authentication data in theauthentication response message matches authentication data stored in adatabase, the method further comprises initiating an action relating tothe mobile communication device and the account identifier.

Another embodiment of invention is directed to a access server computercomprising a processor and a computer readable medium coupled to theprocessor, the computer readable medium comprising code, executable bythe processor for implementing a method. The method comprises receivinga service provider request message from a service provider servercomputer comprising an account identifier. The service provider requestmessage being received at the access control server computer via adirectory server. The method further comprises determining, by theaccess control server computer, that the account identifier is enrolledin an authentication program. In response to determining that theaccount identifier is enrolled in the authentication program, anauthentication request message requesting authentication data istransmitted to a mobile communication device used by a user associatedwith the account identifier. The method further comprises receiving anauthentication response message from the mobile communication devicecomprising the requested authentication data. When the access controlserver computer determines that the requested authentication data in theauthentication response message matches authentication data stored in adatabase, the method further comprises initiating an action relating tothe mobile communication device and the account identifier.

Another embodiment of the invention is directed to a method comprisingreceiving, at a directory server, a service provider request messagecomprising an account identifier from a service provider servercomputer. The method further comprises determining an access controlserver computer associated with the account identifier and transmittingthe service provider request message to the access control servercomputer. The method further comprises the computer receiving a serviceprovider response message from the access control server computer, andtransmitting the service provider response message to the serviceprovider server computer. The service provider server computer or theaccess control server computer may then initiate an action relating tothe account identifier and a mobile communication device used by a userassociated with the account identifier.

Another embodiment of invention is directed to a computer comprising aprocessor and a computer readable medium coupled to the processor, thecomputer readable medium comprising code, executable by the processorfor implementing a method. The method comprises receiving, at adirectory server, a service provider request message comprising anaccount identifier from a service provider server computer. The methodfurther comprises determining an access control server computerassociated with the account identifier and transmitting the serviceprovider request message to the access control server computer. Themethod further comprises the computer receiving a service providerresponse message from the access control server computer, andtransmitting the service provider response message to the serviceprovider server computer. The service provider server computer or theaccess control server computer may then initiate an action relating tothe account identifier and a mobile communication device used by a userassociated with the account identifier

These and other embodiments of the invention are described in furtherdetail below with reference to the Drawings and the DetailedDescription.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a system diagram and flowchart for a system configured toprocess service provider requests and perform a secure authentication ofan account identifier according to an embodiment of the presentinvention.

FIG. 2 depicts an exemplary block diagram of a mobile communicationdevice according to an embodiment of the present invention.

FIG. 3 depicts an exemplary block diagram of a directory serveraccording to an embodiment of the present invention.

FIG. 4 depicts an exemplary block diagram of an access control servercomputer according to an embodiment of the present invention.

FIG. 5 is a detailed flowchart describing a method of performing anauthentication of a user and provisioning an account on a mobile walletusing a secure authentication service according to an embodiment of thepresent invention.

FIG. 6 is a detailed flowchart describing a method of performing anauthentication of a user and provisioning an account on a mobile walletusing a secure authentication service according to an embodiment of thepresent invention.

FIG. 7A-7B show a depiction of initiating the process of adding anaccount to a mobile wallet according to an embodiment of the invention.

FIG. 8A-8C show a depiction of the process of adding an account to amobile wallet according to an embodiment of the invention.

FIG. 9 shows a block diagram of a computer apparatus according to anembodiment of the invention.

DETAILED DESCRIPTION

Prior to discussing embodiments of the invention, descriptions of someterms may be helpful in providing a better understanding of theinvention.

A “mobile communication device” may include a device which can be usedto communicate with another device or system. It can include a consumeror user device that is used to conduct a transaction such as a transferof funds. The mobile communication device may be capable of conductingcommunications over a network. A mobile communication device may be inany suitable form. For example, suitable mobile communication devicescan be hand-held and compact so that it can fit into a user's walletand/or pocket (e.g., pocket-sized). The mobile communication device caninclude a processor, and memory, input devices, and output devices,operatively coupled to the processor. Specific examples of mobilecommunication devices include cellular or mobile phones, tabletcomputers personal digital assistants (PDAs), pagers, portablecomputers, smart cards, and the like. The mobile communication devicemay also be referred to as a mobile device or a consumer mobile device.

An “authentication program” may include a module that can performauthentication according to a specific set of rules. An authenticationprogram may include processes related to authenticating an accountidentifier, a user, or a payment device.

“Authentication data” may include data used to authenticate a user.Authentication data may include may include, but is not limited to, anaccount number, a user's date of birth, a user's password, a user'ssocial security number, or other unique data.

An “authentication request message” may include a message sent as partof an authentication process. The authentication request message mayrequest authentication data from a user.

An “authentication response message” may include a message sent as partof an authentication process in response to an authentication requestmessage. An authentication response message may include authenticationdata provided by a user or consumer.

The term “message” may refer to any data or information that may betransported from one entity to another (e.g., from one computer orcomputing device to another computer or computing device). Further, amessage may include a single signal or data packet or a combination ofmultiple transporting signals. For example, a message may include ananalog electrical signal or digital signal that constitutes binaryinformation that may be interpreted as communicating information.Additionally, a message may comprise any number of pieces of informationincluding both private and/or public information. Messages may becommunicated internally between devices within a secure organization orexternally between a device within a secure organization or network to adevice outside of a secure organization, area, or communication network.Additionally, whether information contained within a message isconsidered public or private may be dependent on who the secureorganization or area originating the message is, who the message isbeing sent to (e.g., recipient computer or requesting computer), or inany other suitable manner. Additionally, messages may be modified,altered, or otherwise changed to comprise encrypted or anonymizedinformation.

The term “user” may refer to an individual or entity. The user may be aconsumer or business that is associated with a financial account andwhose financial account can be used to conduct financial transactionsusing a payment device associated with the financial account.

The term “account identifier” may refer to any information that may beused to identify an account. For example, the account identifier may bean account number associated with a financial account (e.g., a creditcard number or debit card number), or may be a special identifiergenerated randomly or according to a predetermined algorithm, code, orshared secret. The account identifier may also include user (or consumerdata). The account identifier for a financial account may be generatedby an issuer associated with the financial account. The accountidentifier may also be embedded in a payment device, such as in amagnetic stripe portion or a contact/contactless chip of a paymentdevice in the form of a payment card. In other embodiments, the accountidentifier may be stored in a memory component of a mobile communicationdevice for identifying the financial account associated with the accountidentifier. In some embodiments, the account identifier may include aseries of alphanumeric characters, one or more graphics, a token, a barcode, a QR code, or any other information that may be associated with anaccount.

“Provisioning” may include a process of granting the ability to use aresource or service. In embodiments of the present invention,provisioning can include adding data to a mobile communication device.

The term “initiating” may include the first steps taken in order tobegin a process or the steps conducted in order to complete a process.For example, “initiating an action relating to the mobile communicationdevice and the account identifier” can refer to the actual processrequired to complete the action relating to the mobile communicationdevice and the account identifier. However, “initiating an actionrelating to the mobile communication device and the account identifier”can also refer to the process of sending a message from the servercomputer to the payment processing network, or from the paymentprocessing network to the issuer computers, with instructions forperforming the process required to complete the action relating to themobile communication device and the account identifier.

In some embodiments of the present invention, the “action” may includeprovisioning an account identifier (e.g., a payment device) onto amobile wallet stored on the mobile communication device. In otherembodiments, the “action” may be cloning the mobile wallet from a firstmobile communication device to a second mobile communication device,adding additional users as being authorized to use the mobile wallet,remote wiping of the mobile wallet (e.g., when the mobile communicationdevice is lost or stolen).

A “server computer” may include a powerful computer or cluster ofcomputers. For example, the server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. The server computer may be coupled to a database and mayinclude any hardware, software, other logic, or combination of thepreceding for servicing the requests from one or more client computers.The server computer may comprise one or more computational apparatusesand may use any of a variety of computing structures, arrangements, andcompilations for servicing the requests from one or more clientcomputers.

A “database” may include any hardware, software, firmware, orcombination of the preceding for storing and facilitating the retrievalof information. Also, the database may use any of a variety of datastructures, arrangements, and compilations to store and facilitate theretrieval of information.

An “issuer computer” may include an entity that issues an account. Anissuer is typically a business entity (e.g. a bank) which maintainsfinancial accounts for a plurality of users (e.g., consumers).

A “risk score” may include results of a risk analysis or evaluation. Arisk score may be in the form of an alphanumeric value such as a numberfrom 1-10 or a letter from A-Z.

A “service provider” may include any suitable entity that provides aservice. An exemplary service provider may be a wallet provider thatprovides digital wallet services, a merchant, etc.

An “access control server computer” may be a computer or system that isconfigured to provide authentication and/or verification services.

A “directory server computer” may include a server that can performmessage routing. In some embodiments, the director server is capable ofreceiving messages (e.g., service provider request messages), determinethe appropriate destination for the received messages, and route thereceived messages to the appropriate destination. In some embodiments,the directory server may include or be associated with a databasecontaining routing tables that may be used to determine an appropriateissuer associated with an account identifier.

I. Exemplary System

A system 100 configured to process service provider requests and performa secure authentication of an account identifier according to anembodiment of the present invention is shown with reference to FIG. 1.

For simplicity of illustration, a certain number of components are shownis shown in FIG. 1. It is understood, however, that embodiments of theinvention may include more than one of each component. In addition, someembodiments of the invention may include fewer than all of thecomponents shown in FIG. 1. In addition, the components in FIG. 1 maycommunicate via any suitable communication medium (including theInternet), using any suitable communications protocol.

The system 100 may include a mobile communication device 102, a walletprovider server computer 104, a directory server computer 106, a riskanalysis system 108, an access control server computer 110, a trustedservice manager system 112, and an authentication history servercomputer 114. Each of these systems and computers may be in operativecommunication with each other.

The directory server computer 106 may interact with the risk analysissystem 108 to request and obtain risk scores, and it may also interactwith the authentication history server computer 114 to store theauthentication histories associated with a number of events. Thedirectory server computer 106 may also route messages between the accesscontrol server computer 110 and a service provider server computer suchas the wallet provider server computer 104.

The trusted service manager system 112 may interact with the walletprovider server computer 104 and the access control server computer 110in order to provide data to the mobile communication device 102. Furtherdetails regarding the operation of the components in FIG. 1 are providedbelow.

FIG. 2 depicts a block diagram of an exemplary mobile communicationdevice 102. FIG. 2 shows a number of components, and the mobilecommunication devices 102 according to embodiments of the invention maycomprise any suitable combination or subset of such components. Themobile communication device 102 may comprise a memory element 102 c(e.g., computer readable medium) as shown in FIG. 2. The memory element102 c may be present within a body of the mobile communication device102 or may be detachable from it. The body of the mobile communicationdevice 102 may be in the form a plastic substrate, housing, or otherstructure. The memory element 102 c may be a memory that stores data andmay be in any suitable form including a magnetic stripe, a memory chip,uniquely derived keys (such as those described above), encryptionalgorithms, etc.

The memory element 102 c may comprise a mobile application 102 b. Themobile application 102 b may be computer code or other data stored on acomputer readable medium (e.g. memory element 102 c or secure element102 a) that may be executable by the processor 102 d to complete a task.The mobile application 102 b may be an application that operates on themobile communication device 102 that provides a user interface for userinteraction (e.g., to enter and view information).

The mobile application 102 b may communicate with the wallet providerserver computer to retrieve and return information during the processingof any of a number of services offered to the user via the mobilecommunication device 102 (e.g., provisioning accounts to a walletapplication stored on the mobile communication device 102).

The secure element 102 a may be a secure memory on the mobilecommunication device 110 such that the data contained on the secureelement 102 a cannot easily be hacked, cracked, or obtained by anunauthorized entity. The secure element 102 a may be used by the mobilecommunication device 102 to host and store data and applications thatmay require a high degree of security. The secure element 102 a may beprovided to the mobile communication device 110 by a secure elementissuer. The secure element 102 a may be either embedded in the handsetof the mobile communication device 102 or in a subscriber identitymodule (SIM) card that may be removable from the mobile communicationdevice 102. The secure element 102 a can also be included in an add-ondevice such as a micro-Secure Digital (micro-SD) card or other portablestorage device.

The secure element 102 a may store the same information such asfinancial information, bank account information, credit, debit, orprepaid account number information (or payment tokens associated withsuch credit, debit, or prepaid account numbers), account balanceinformation, expiration dates, verification values such as CVVs or dCWs,etc. Other information that may be stored in the secure element 102 amay include consumer information such as name, date of birth, etc. Inother embodiments, some, none or all of the foregoing information may bestored in the memory element 102 c or may be stored at a remote servercomputer (e.g., in the cloud at the wallet provider server computer104).

The mobile communication device 102 may further include a contactlesselement 102 e, which may typically be implemented in the form of asemiconductor chip (or other data storage element) with an associatedwireless transfer (e.g., data transmission) element, such as an antenna.Contactless element 102 e may be associated with (e.g., embedded within)the mobile communication device 102 and data or control instructionstransmitted via a cellular network may be applied to contactless element102 e by means of a contactless element interface (not shown). Thecontactless element interface may function to permit the exchange ofdata and/or control instructions between the mobile communication devicecircuitry (and hence the cellular network) and an optional contactlesselement 102 e.

The contactless element 102 e is capable of transferring and receivingdata using a near-field communications (NFC) capability (or NFC medium)typically in accordance with a standardized protocol or data transfermechanism (e.g., ISO 14443/NFC). Mobile communication devices 102 thatsupport mobile contactless payments typically support contactlesstransactions using the EMV contactless communication protocol (EMV-CCP),which is based on ISO 14443, in order to interact with merchant accessdevices. This capability may typically met by implementing NFC. The NFCcapability on the mobile communication device 110 may be enabled by anembedded NFC chip or by the addition of an external memory card oraccessory that contains the NFC chip. NFC capability is a short-rangecommunications capability, such as RFID, Bluetooth®, infra-red, or otherdata transfer capability that can be used to exchange data between themobile communication device 102 and an interrogation device. Thus, themobile communication device 102 may be capable of communicating andtransferring data and/or control instructions via both cellular networkand near-field communications capability.

The mobile communication device 102 may also include a processor 102 d(e.g., a microprocessor) for processing the functions of the mobilecommunication device 102 and a display 102 g to allow a consumer to seephone numbers and other information and messages. The mobilecommunication device 102 may further include input elements 102 j toallow a consumer to input information into the device, a speaker 102 hto allow the consumer to hear voice communications, and a microphone 102i to allow the user to transmit his or her voice through the mobilecommunication device 102. The mobile communication device 102 may alsoinclude an antenna 102 f for wireless data transfer (e.g., datatransmission).

In some embodiments, the display 102 g of the mobile device 102 may alsobe a user interface that may allow the user to select or interact withobjects presented on the display 102 g, including, but not limited tomenus, text fields, icons, and keys/inputs on a virtual keyboard. Thedisplay 102 g may be configured to present an application (e.g., awallet application), as shown in FIGS. 7A-7B and 8A-8C.

The wallet provider server computer 104 may include a processor and acomputer readable medium coupled to the processor, the computer readablemedium comprising code, executable by the processor for performing thefunctionality described below.

The wallet provider server computer 104 may manage and provide servicesto a user. In some embodiments, the services may be provided to the uservia a mobile application associated with the wallet provider servercomputer 104 and stored on a user's mobile communication device 102. Thewallet provider server computer 104 may send and receive over-the-air(OTA) messages to the mobile application stored on the user's mobilecommunication device 102.

In some embodiments, the wallet provider server computer 104 may receivea request from the user, via the mobile application, to provision anaccount on to the mobile communication device 102. In such embodiments,the wallet provider server computer 104 may be configured to generate aservice provider request message as part of an authentication process toauthenticate the user or an account identifier associated with theaccount. The wallet provider server computer 104 may be furtherconfigured to receive a service provider response message indicating theresult of the authentication process. In such embodiments, when theauthentication process is successful, the wallet provider servercomputer 104 may be configured to send an activation request message toa trusted service manager system 112 requesting the trusted servicemanager system 112 to provision the account on to a secure element 102 aor to a memory element 102 c associated with the mobile communicationdevice 102.

In some embodiments of the present invention, the wallet provider servercomputer 104 may be an example of a service provider server computer. Aservice provider server computer may provide services to a user and amobile communication device 102, other than or in addition to,wallet-related services.

The directory server computer 106 may include a computer that is usedfor message routing and/or data computation. In some embodiments, thedirectory server computer 106 is capable of receiving messages (e.g.,service provider request messages, verify enrollment request messages,and other transaction-related messages), determine the appropriatedestination for the received messages, and route the received messagesto the appropriate destination. For example, the directory servercomputer 106 may receive a service provider request message, determinethe appropriate issuer associated with an account identifier included inthe service provider request message, and then route the serviceprovider request message to the appropriate issuer. In some embodiments,the directory server computer 106 may further route the service providerrequest message to a risk analysis system 108 so that the risk analysissystem 108 can determine a risk score. In some embodiments, thedirectory server computer 106 may include or be associated with adatabase containing routing tables that may be used to determine theappropriate issuer associated with the account identifier in the serviceprovider request message. In some embodiments, the directory servercomputer 106 may be operated by a payment processing network, and may befurther configured to route messages related to financial transactions.The payment processing network (not shown) may be situated between anissuer, and an acquirer and a merchant. The payment processing networkmay further be configured to process credit and debit card transactions.

FIG. 3 depicts an exemplary block diagram of a directory server computer106 according to an embodiment of the present invention. The directoryserver computer 106 depicted in FIG. 3 shows a number of components, andthe directory server computer 106 according to embodiments of theinvention may comprise any suitable combination or subset of suchcomponents. In some embodiments, the directory server computer 106 mayinclude greater than or less than the components depicted in FIG. 3. Thedirectory server computer 106 may include a processor 106 a and acomputer readable medium 106 b coupled to the processor 106 a, thecomputer readable medium 106 b comprising code, executable by theprocessor 106 a for performing the functionality described herein. Thecomputer readable medium 106 b may store code for a message analyzermodule 106 b-1 and a routing module 106 b-2. Further details of themessage analyzer module 106 b-1 and a routing module 106 b-2 aredescribed with respect to FIGS. 1 and 6 below.

The risk analysis system 108 may be a system that is configured toreceive data and perform a risk analysis. In some embodiments, the riskanalysis system 108 receives messages from the directory server computer106, and attempts to generate a risk score associated with a querycontained in the message from the directory server computer 106. Therisk analysis system 108 may then transmit the determined risk scoreback to the directory server computer 106.

The access control server computer 110 may include a processor and acomputer readable medium coupled to the processor, the computer readablemedium comprising code, executable by the processor for performing thefunctionality described below. The access control server computer 110may be a computer or system that is configured to provide authenticationand verification services. In some embodiments, the access controlserver computer 110 may store enrollment data for enrolled users andaccount identifiers. The enrollment data may be used to indicateenrollment of users and account identifiers in an authenticationprogram.

In some embodiments, the access control server computer 110 may beconfigured to initiate a process to authenticate a user when it receivesa service provider request message. The access control server computer100 may then transmit an authentication request message to the userrequesting authentication data. The authentication request message maybe transmitted to a mobile communication device 102 associated with theuser. The access control server computer 110 may then receiveauthentication data from the user in an authentication response message.The received authentication data may then be compared with storedauthentication data. In some embodiments of the present invention, whenthe received authentication data and the stored authentication datamatch, the user or account identifier may be considered authenticatedand the access control server computer 110 may generate a serviceprovider response message indicating authentication. The access controlserver computer 110 may direct the service provider response messageback to the appropriate service provider computer (e.g., the walletprovider server computer 104).

In some embodiments, the access control server computer 110 may be anissuer access control server computer operated and managed by an issuerof the account identifier. In other embodiments, the access controlserver computer 110 may be operated by a payment processor on behalf ofan issuer.

FIG. 4 depicts an exemplary block diagram of an access control servercomputer 110 according to an embodiment of the present invention. Theaccess control server computer 110 depicted in FIG. 4 shows a number ofcomponents, and the access control server computer 110 according toembodiments of the invention may comprise any suitable combination orsubset of such components. In some embodiments, the access controlserver computer 110 may include greater than or less than the componentsdepicted in FIG. 4. The access control server computer 110 may include aprocessor 110 a and a computer readable medium 110 b coupled to theprocessor 110 a, the computer readable medium 110 b comprising code,executable by the processor 110 a for performing the functionalitydescribed herein. The computer readable medium 110 b may store code fora consumer authentication module 110 b-1, a messaging module 110 b-2,and a routing module 106 b-3. Further details of the message analyzermodule 106 b-1 and a routing module 106 b-2 are described with respectto FIGS. 1 and 5 below.

The trusted service manager system 112 may be a computer or system thatoffers services to support mobile financial services. For example, insome embodiments, the trusted service manager system 112 may provisiondata on the secure element using over-the-air communications. In someembodiments, upon successful authentication by an access control servercomputer 110, the trusted service manager system 112 may receive anactivation request from a wallet provider server computer 104 directingthe trusted service manager system 112 to provision an account to thesecure element of a mobile communication device 102 for use with awallet application. The trusted service manager system 112 may also lockor unlock the secure element 102 a on the mobile communication device102. Additionally, the trusted service manager system 112 may provideongoing secure element platform management and support.

The authentication history server computer 114 may be a database orcomputer system in communication with the directory server computer 106.In some embodiments, the authentication history server computer 114 maybe in communication with the access control server computer 110. Theauthentication history server computer 114 may be accessed as part of anauthentication process. For example, the authentication history servercomputer 114 may store user authentication data associated with accountidentifiers (e.g., credit card numbers, debit card numbers, personalaccount numbers (PANs)).

I. Exemplary Methods

Methods according to embodiments of the invention can be described withrespect to FIGS. 1-8C.

FIG. 1 shows a flow diagram for a system configured to process serviceprovider requests and perform a secure authentication of an accountidentifier according to an embodiment of the present invention.

In step 1, a user access a wallet application stored on the user'smobile communication device 102. The wallet application may be computercode or other data stored on a computer readable medium (e.g. memoryelement or secure element) that may be executable by a processor tocomplete a task. The wallet application may provide a user interface foruser interaction (e.g., to enter and view account information, sendpayments). The wallet application may communicate with a wallet providerserver computer 104 to retrieve and return information during theprocessing of services offered to the user via the mobile communicationdevice 102 (e.g., provisioning new accounts, sending mobile payments).Additionally, the wallet application can communicate with the walletprovider server computer 104 to send and receive over-the-air (OTA)messages. The mobile wallet application may be installed in a secureelement within the mobile communication device 102. The mobile walletapplication may provider the functionality to manage and maintain theuser payment information and support mobile payments.

In embodiments of the present invention, the user may access the walletapplication by selecting an icon or other text/visual graphic on theuser's mobile communication device 102. Once the wallet application hasbeen initiated, the user may be presented with a set of options andservices provided by the wallet application. For example, as depicted inFIG. 7A, the user may be provided with the option to “Send Funds,” “ViewTransaction History”, and “Add Account to Wallet.” In some embodiments,when the user selects the option “Add Account to Wallet,” the user maybe presented with a screen as depicted in FIG. 7B. In FIG. 7B, the useris prompted to provide the account details for the account that the userwants to add to their wallet application. In the case of a paymentdevice (e.g., credit card, debit card), examples of account details thatmay be requested includes the name on the account, an account type, anaccount number, an expiration date for the payment device, and a cardverification value associated with the payment device. In otherembodiments, where the user wants to add a checking or savings account,the user may be prompted to provide a bank account number and a bankrouting number.

In embodiments of the present invention, when the user submits theaccount details, the wallet application may transmit the account detailsto the wallet provider server computer 104. The account details may betransmitted over-the-air (OTA) across a mobile or cellular network.

In step 2, the wallet provider server computer 104 receives the accountdetails from the mobile communication device 102, and then generates aservice provider request message comprising the account details. Theservice provider request message may also contain user data identifyingthe user of the mobile communication device 102. In some embodiments,the service provider request message is a verify enrollment requestmessage that is sent to verify that an account identifier is enrolled inan authentication program. The account identifier may be the credit cardnumber, debit card number, or another account detail provider by theuser. The wallet provider server computer 104 may then send the serviceprovider request message to a directory server computer 106.

In step 3, the directory server computer 106 queries a risk analysissystem 108 to determine a risk score associated with the accountidentifier. The account identifier included in the service providerrequest message may be sent to the risk analysis system 108 by therouting module 106 b-2 stored in the computer readable medium 106 b ofthe directory server computer 106.

In some embodiments, the risk analysis on the account identifier is notperformed. In such embodiments, the directory server computer 106 maytransmit the service provider request message to the access controlserver computer 110, as described with respect to step 5 below.

In step 4, the risk analysis system 108 returns the risk score to thedirectory server computer 106. In some embodiments, the risk analysissystem 108 may be able to make risk assessments regarding the accountidentifier by evaluating past transaction data and past interaction datainvolving the account identifier. The risk analysis system 108 may useinternal and external sources for determining the risk score associatedwith the account identifier. The risk score may be a numerical value ormay be another type of indicator capable of expressing the riskassociated with the account identifier. In some embodiments, thedirectory server computer 106, the risk score may be included with theservice provider request message prior to being sent to the accesscontrol server computer 110. In such embodiments, the service providerrequest message may be amended to include the risk score in an unusedfield of the service provider request message, or the risk score may besent as a separate message from service provider request message.

In step 5, the directory server computer 106 transmits the serviceprovider request message to the access control server computer 110. Forexample, the account identifier may be used to locate an appropriateaccess control server computer 110 that the service provider requestmessage should be transmitted to. When the directory server computer 106has the routing data for the appropriate access control server computer110, the routing module 106 b-2 may be configured to route the serviceprovider request message to the appropriate access control servercomputer 110. In embodiments of the present invention, this process maybe performed prior to, concurrently with, or following the riskanalysis.

In step 6, the access control server computer 110 may generate andtransmit an authentication request message to the mobile communicationdevice 102. In some embodiments of the present invention, when theaccess control server computer 110 receives the service provider requestmessage, the access control server computer 110 may determine whetherthe account identifier associated with the service provider requestmessage is enrolled in the authentication program. The authenticationrequest message may be in the form of an SMS message, an e-mail, aniFrame, a pop up window, etc. If the account identifier is enrolled inthe authentication program, the authentication request message may besent to the user's mobile communication device 102 requesting that theuser provide a response to a challenge question or password request. Insome embodiments, when the account identifier is enrolled, the user maybe presented with a screen on their mobile communication device 102 asdepicted in FIG. 8A requesting that the user provide a passwordassociated with the enrolled account identifier.

In step 7, the mobile communication device 102 sends an authenticationresponse message back to the access control server computer 110. Theauthentication response message may contain a response to the requestfor authentication data sent by the access control server computer 110in the authentication request message. For example, the authenticationresponse message may include a password, passphrase, or some otherunique piece of authentication data. In embodiments of the presentinvention, the password may have been previously created by the userwhen the user enrolled in the authentication program. The authenticationdata received in the authentication response message may be comparedwith authentication data stored at the access control server computer110 to determine a result of the authentication process. If the receivedauthentication data and the stored authentication data match, the usermay be considered authenticated; if they do not match, the user may beconsidered not authenticated.

In step 8, the access control server computer 110 generates andtransmits a service provider response message to the directory servercomputer 106. The service provider response message may include theresult of the authentication process indicating whether the accountidentifier was authenticated.

In step 9, the directory server computer 106 sends the service providerresponse message to the wallet provider server computer 104. In someembodiments, the directory server computer 106 routes the serviceprovider response message to the wallet provider server computer 104through any appropriate communications means.

In step 10, upon determining that the authentication process wassuccessful, the wallet provider server computer 104 may then generateand send an activation request message to a trusted service managersystem 112. The activation request message may be to provision therequested account on to the mobile communication device 102

In step 11, the trusted server manager system 112 may provision theaccount on the mobile communication device 102. In some embodiments, theaccount may be provisioned onto a secure element 102 a associated withthe mobile communication device 102 and accessible by the walletapplication 102 b stored in a memory element 102 c of the mobilecommunication device 102. A secure link may be formed between thetrusted service manager system 112 and the mobile communication device102 so that data can be provided to the mobile communication device 102.A secure data channel and/or encryption may be used to ensure that datais securely transmitted to the mobile communication device 102.

The secure element 102 a may be a secure memory device such that thedata contained on the secure element 102 a cannot easily be hacked,cracked, or obtained by an unauthorized entity. For example, the secureelement 102 a may be an integrated circuit device that is implementedwithin a mobile communication device 102. The secure element 102 a maycontain embedded smart card-grade applications (e.g., payment,transport, etc.). The secure element 102 a may be used by the mobilecommunication device 102 to host and store data and applications thatrequire a high degree of security. The secure element 102 a may beprovided to the mobile communication device 102 by a secure elementissuer. Additionally, the secure element 102 a may be either embedded inthe handset of the mobile communication device 102 or in a subscriberidentity module (SIM) card that may be removable from the mobilecommunication device 102. The secure element can also be included in anadd-on device such as a micro-Secure Digital (microSD) card or otherremovable memory device.

Upon successful completion of the provisioning, the user may bepresented with a confirmation screen on their mobile communicationdevice 102, as depicted in FIG. 8C.

In step 12, the directory server computer 106 may store details of thecompleted authentication process in the authentication history servercomputer 114. In some embodiments of the present invention, previousauthentication processes involving the account identifier may beaccessed via the authentication history server computer 114.

FIG. 5 is a detailed flowchart describing a method of performing anauthentication of a user and provisioning an account on a mobile walletusing a secure authentication service according to an embodiment of thepresent invention. FIG. 5 describes in additional detail the processperformed by the access control server computer 110, as previouslydescribed with respect to the FIG. 1.

In step 502, the access control server computer 110 receives a serviceprovider request message comprising an account identifier. The serviceprovider request message may be received from a wallet provider servercomputer 104 (or other service provider server computer) via a directoryserver computer 106. The service provider request message may includeuser data and account data, including an account identifier.

In step 504, the access control server computer 110 determines whetherthe account identifier is enrolled in an authentication program. Whenthe access control server computer 110 receives the service providerrequest message, the access control server computer 110 may firstdetermine whether the account identifier associated with the serviceprovider request message has been enrolled in the authenticationprogram. In some embodiments, the access control server computer 110 mayquery an enrolled consumer database 110 c that may store information forenrolled user accounts and user data. For example, an entry in theenrolled consumer database 110 c may include the enrolled accountidentifier, user contact data, user mobile communication device data,and user authentication data (e.g., a password, pass phrase or uniquecode).

When the access control server computer 110 determines that the accountidentifier is enrolled in the authentication program, the processproceeds to step 506. When the access control server computer 110determines that the account identifier is not enrolled in theauthentication program, the process proceeds to step 514.

In step 506, the access control server computer 110 transmits anauthentication request message to the mobile communication device 102requesting authentication data. In some embodiments, when the accesscontrol server computer 110 determines that the account identifier isassociated with an account enrolled in the authentication program, theconsumer authentication module 110 b-1 may direct the messaging module110 b-2 to generate an authentication request message requesting thatthe user provide their user authentication data. The authenticationrequest message may then be transmitted to the user's mobilecommunication device 102 by the routing module 110 b-3.

The authentication data may include a password created by the user aspart of an enrollment process for the authentication program. In otherembodiments, the password could be created by a payment processingnetwork, or by an issuer computer, on behalf of the user. The passwordmay be alphanumeric, or composed of only numbers or only letters.Passwords are not limited to strings of characters. Other examples ofauthentication data may include a personal identification number (PIN),a unique visual image or pattern, a voice pattern, or another uniqueconfiguration of letters and/or numbers.

In step 508, the access control server computer 110 receives anauthentication response message comprising the requested authenticationdata. The access control server computer 110 may then receive anauthentication response message including received user authenticationdata. The authentication response message may be received from themobile communication device 102 by the routing module 110 b-3

In step 510, the access control server computer 110 determines that therequested authentication data matches stored authentication data. Theconsumer authentication module 110 b-1 may compare the received userauthentication data with the stored user authentication data in theenrolled consumer database 110 c. In some embodiments, the receivedauthentication data may be required to exactly match the stored userauthentication data. In other embodiments, authentication may bedetermined based on the received authentication data being within apredefined range of the stored user authentication data.

In step 512, the access control server computer 110 initiates an actionrelating to the mobile communication device 102 and the accountidentifier. In some embodiments, the access control server computerinitiates the process of provisioning of the account identifier on tothe mobile communication device 102. In such embodiments, based on theresult of the comparison, the access control server computer 110 maythen generate a service provider response message indicating the resultof the authentication process. If the access control server computer 110determined that the received user authentication data with the storeduser authentication data matched, the account identifier may beconsidered authenticated and the service can be provided (e.g.,provisioning the account on to the user's mobile communication device102). If the access control server computer 110 determined that thereceived user authentication data with the stored user authenticationdata did not match, the account identifier may be considered notauthenticated. The routing module 110 b-3 may then route the serviceprovider response message back to the appropriate destination (e.g., theservice provider server computer or wallet provider server computer).Upon successful completion of the provisioning, the user may bepresented with a confirmation screen on their mobile communicationdevice 102, as depicted in FIG. 8C.

In step 514, if the user is not enrolled in the authentication program504, the access control server computer 110 transmits a notificationmessage to the user. In some embodiments, when the access control servercomputer 110 determines that the account identifier is not enrolled inthe authentication program, the access control server computer 110 maydirect the messaging module 110 b-2 to generate a notification messageto be sent to the mobile communication device 102. The notificationmessage may provide a message to the user that they are not enrolled inthe authentication program and that in order to be authenticated, theymay contact the issuer associated with the account identifier. In someembodiments, when the account identifier is not enrolled, the user maybe presented with a screen on their mobile communication device 102 asdepicted in FIG. 8B.

In step 516, the access control server computer 110 receives anindication that the user has been authenticated by the issuer. When theuser is not enrolled in the authentication program, the user may contacttheir issuer to be authenticated via another means. For example, theuser may be asked by the issuer to provide account details or userdetails (e.g., mother's maiden name, social security number). When theyuser is authenticated by the issuer, the access control server computer110 may receive a notification that the user has been authenticated. Insuch embodiments, the process may then proceed as in step 512 above.

FIG. 6 is a detailed flowchart describing a method of performing anauthentication of a user and provisioning an account on a mobile walletusing a secure authentication service according to an embodiment of thepresent invention. FIG. 6 describes in additional detail the processperformed by the directory server computer 106, as previously describedwith respect to the FIG. 1.

In step 602, the directory server computer 106 receives a serviceprovider request message comprising an account identifier. The serviceprovider request message may also contain user data identifying the userof the mobile communication device 102, an account identifier, and dataon the mobile communication device 102 to allow communication betweenthe mobile communication device 102 and the access control servercomputer 110. In some embodiments, the service provider request messageis a verify enrollment request message that is sent to verify that anaccount identifier is enrolled in an authentication program. The accountidentifier may be a credit card number, debit card number, or anotheraccount detail provider by the user.

In step 604, the directory server computer 106 determines an accesscontrol server computer 110 associated with the account identifier. Themessage analyzer module 106 b-1 in the directory server computer 106 maybe configured to review the service provider request message. Themessage analyzer module 106 b-1 may be further configured to identify anaccount identifier or other type of identifier included in the serviceprovider request message. Upon identifying the account identifier, themessage analyzer module 106 b-1 may then access a routing tablesdatabase 106 c. The routing tables database may include one or morerouting tables that indicate the appropriate destinations for messagesreceived by the directory server computer 106. For example, the accountidentifier may be used to locate an appropriate access control servercomputer 110 that the service provider request message should betransmitted to.

In step 606, the directory server computer 106 transmits the serviceprovider request message to the access control server computer 110. Whenthe directory server computer 106 has the routing data for theappropriate access control server computer 110 associated with theaccount identifier, the routing module 106 b-2 in the directory servercomputer 106 may be configured to route the service provider requestmessage to the appropriate access control server computer 110.

In step 608, the directory server computer 106 receives a serviceprovider response message from the access control server computer 110.The service provider response message may include the result of theauthentication process indicating whether the account identifier wasauthenticated.

In step 610, the directory server computer 106 transmits the serviceprovider response message to the service provider server computer 104.The service provider server computer 104 may then send the serviceprovider response message to the wallet provider server computer 104.The service provider response message may include the result of theauthentication process indicating whether the account identifier wasauthenticated or not authenticated.

IV. Technical Benefits

Embodiments of the present invention provide a number of technicaladvantages. For example, by using a secure authentication program thatusers enroll in for authentication services, embodiments of the presentinvention provide increased security from fraud by minimizing the riskthat an unauthorized individual can successfully be provided withservices from a service provider server computer. For example, a userattempting to conduct wallet application management on a mobilecommunication device (e.g., provisioning accounts or payment devices onto the wallet application) must be authenticated via the authenticationprocess prior to being allowed to make modifications.

An additional benefit of embodiments of the present invention is theability to use existing infrastructure (e.g., directory servers used forrouting transaction-related messages and access control servercomputers) to conduct authentication services for a user attempting toprovision an account or a payment device on to a wallet application.Utilizing existing infrastructure further provides the benefits ofconserving resources by using authentication systems for transactions tofurther provide authentication services for the provision of services toa user.

V. Exemplary Apparatuses

The various participants and elements, such as, e.g., the mobilegateway, described herein with reference to the figures may operate oneor more computer apparatuses to facilitate the functions describedherein. Any of the elements in the figures, including any servers ordatabases, may use any suitable number of subsystems to facilitate thefunctions described herein.

Examples of such subsystems or components are shown in FIG. 9. Thesubsystems shown in FIG. 9 are interconnected via a system bus 900.Additional subsystems such as a printer 908, keyboard 914, fixed disk916 (or other memory comprising computer readable media), monitor 920,which is coupled to display adapter 910, and others are shown.Peripherals and input/output (I/O) devices, which couple to I/Ocontroller 902 (which can be a processor or other suitable controller),can be connected to the computer system by any number of means known inthe art, such as serial port 912. For example, serial port 912 orexternal interface 918 can be used to connect the computer apparatus toa wide area network such as the Internet, a mouse input device, or ascanner. The interconnection via system bus allows the central processor906 to communicate with each subsystem and to control the execution ofinstructions from system memory 904 or the fixed disk 916, as well asthe exchange of information between subsystems. The system memory 904and/or the fixed disk 916 may embody a computer readable medium.

Specific details regarding some of the above-described aspects areprovided above. The specific details of the specific aspects may becombined in any suitable manner without departing from the spirit andscope of embodiments of the technology. For example, back endprocessing, data analysis, data collection, and other transactions mayall be combined in some embodiments of the technology. However, otherembodiments of the technology may be directed to specific embodimentsrelating to each individual aspect, or specific combinations of theseindividual aspects.

It should be understood that the present technology as described abovecan be implemented in the form of control logic using computer software(stored in a tangible physical medium) in a modular or integratedmanner. While the present invention has been described using aparticular combination of hardware and software in the form of controllogic and programming code and instructions, it should be recognizedthat other combinations of hardware and software are also within thescope of the present invention. Based on the disclosure and teachingsprovided herein, a person of ordinary skill in the art will know andappreciate other ways and/or methods to implement the present technologyusing hardware and a combination of hardware and software

Any of the software components or functions described in thisapplication, may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C++ or Perl using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructions,or commands on a computer readable medium, such as a random accessmemory (RAM), a read only memory (ROM), a magnetic medium such as ahard-drive or a floppy disk, or an optical medium such as a CD-ROM. Anysuch computer readable medium may reside on or within a singlecomputational apparatus, and may be present on or within differentcomputational apparatuses within a system or network.

The above description is illustrative and is not restrictive. Manyvariations of the technology will become apparent to those skilled inthe art upon review of the disclosure. The scope of the technologyshould, therefore, be determined not with reference to the abovedescription, but instead should be determined with reference to thepending claims along with their full scope or equivalents.

In some embodiments, any of the entities described herein may beembodied by a computer that performs any or all of the functions andsteps disclosed.

One or more features from any embodiment may be combined with one ormore features of any other embodiment without departing from the scopeof the technology.

A recitation of “a”, “an” or “the” is intended to mean “one or more”unless specifically indicated to the contrary.

All patents, patent applications, publications, and descriptionsmentioned above are herein incorporated by reference in their entiretyfor all purposes. None is admitted to be prior art.

What is claimed is:
 1. A method comprising: receiving, at an accesscontrol server computer via a directory server, a service providerrequest message from a service provider server computer comprising anaccount identifier; determining, by the access control server computer,that the account identifier is enrolled in an authentication program; inresponse to determining that the account identifier is enrolled in theauthentication program, transmitting an authentication request messagerequesting authentication data, to a mobile communication device used bya user associated with the account identifier; receiving anauthentication response message from the mobile communication devicecomprising the requested authentication data; determining that therequested authentication data in the authentication response messagematches authentication data stored in a database; and initiating anaction relating to the mobile communication device and the accountidentifier when the requested authentication data in the authenticationresponse message matches the authentication data stored in the database,wherein the action comprises: requesting a trusted service managersystem to provision the account identifier on to the mobilecommunication device.
 2. The method of claim 1 wherein the serviceprovider request message is a verify enrollment request message.
 3. Themethod of claim 2 wherein the service provider server computer is awallet provider server computer, and wherein the verify enrollmentrequest message is generated by the wallet provider server computer. 4.The method of claim 1 wherein the access control server computer is anissuer access control server operated by an issuer of the accountidentifier, and wherein the account identifier is a credit or debit cardnumber.
 5. An access control server computer comprising: a processor;and a non-transitory computer readable medium coupled to the processor,the non-transitory computer readable medium comprising code, executableby the processor for implementing a method comprising: a serviceprovider request message from a service provider server computercomprising an account identifier; determining that the accountidentifier is enrolled in an authentication program; in response todetermining that the account identifier is enrolled in theauthentication program, transmitting an authentication request messagerequesting authentication data, to a mobile communication device used bya user associated with the account identifier; receiving anauthentication response message from the mobile communication devicecomprising the requested authentication data; determining that therequested authentication data in the authentication response messagematches authentication data stored in a database; and initiating anaction relating to the mobile communication device and the accountidentifier when the requested authentication data in the authenticationresponse message matches the authentication data stored in the database,wherein the action comprises: requesting a trusted service managersystem to provision the account identifier on to the mobilecommunication device.
 6. The access control server computer of claim 5wherein the service provider request message is a verify enrollmentrequest message.
 7. The access control server computer of claim 6wherein the service provider server computer is a wallet provider servercomputer, and wherein the verify enrollment request message is generatedby the wallet provider server computer.
 8. A system comprising: theaccess control server computer of claim 5; and the service providerserver computer in communication with the access control servercomputer.
 9. A method comprising: receiving, at a directory server, aservice provider request message comprising an account identifier from aservice provider server computer; determining, by the directory server,an access control server computer associated with the accountidentifier; transmitting the service provider request message to theaccess control server computer; receiving, by the directory server, aservice provider response message from the access control servercomputer; and transmitting the service provider response message to theservice provider server computer, wherein the service provider servercomputer or the access control server computer initiates an actionrelating to the account identifier and a mobile communication deviceused by a user associated with the account identifier when the accesscontrol server determines that requested authentication data in anauthentication response message matches authentication data stored in adatabase, the action comprising: requesting a trusted service managersystem to provision the account identifier on to the mobilecommunication device.
 10. The method of claim 9 wherein the serviceprovider request message is a verify enrollment request message.
 11. Themethod of claim 9 further comprising: determining a risk scoreassociated with the service provider request message and providing therisk score to the access control server computer in the service providerrequest message.
 12. The method of claim 9 wherein the service providerserver computer is a wallet provider server computer.
 13. A computercomprising: a processor; and a non-transitory computer readable mediumcoupled to the processor, the non-transitory computer readable mediumcomprising code, executable by the processor for implementing a methodcomprising: receiving a service provider request message comprising anaccount identifier from a service provider server computer; determiningan access control server computer associated with the accountidentifier; transmitting the service provider request message to theaccess control server computer; receiving, by the directory server, aservice provider response message from the access control servercomputer; and transmitting the service provider response message to theservice provider server computer, wherein the service provider servercomputer or the access control server computer initiates an actionrelating to the account identifier and a mobile communication deviceused by a user associated with the account identifier when the accesscontrol server determines that requested authentication data in anauthentication response message matches authentication data stored in adatabase, the action comprising, the action comprising: requesting atrusted service manager system to provision the account identifier on tothe mobile communication device.
 14. The computer of claim 13 whereinthe service provider request message is a verify enrollment requestmessage.
 15. The computer of claim 13 further comprising: determining arisk score associated with the service provider request message andproviding the risk score to the access control server computer in theservice provider request message.
 16. A system comprising: the computerof claim 13; the access control server computer in communication withthe computer; and the service provider server computer in communicationwith the access control server computer.